Cyber Incident Victim: Cardpool
Date:
Feb 2019
Location:
United States of America
Summary
A Russian hacker sold nearly 900,000 gift cards purportedly valued at $38 million from thousands of brands, alongside 330,000 debit card records, with both datasets likely originating from a breach at the discount gift card platform Cardpool. The gift cards were auctioned at a fraction of their claimed value, suggesting potential overstatement or low validity rates, while the debit card data lacked CVV codes and cardholder names, limiting usability for certain fraudulent transactions. The breach was attributed to compromised backend access, potentially via CMS vulnerabilities or credential brute-forcing, enabling unauthorized exfiltration of payment and gift card assets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Cardpool incident involved a significant data breach occurring between February 4, 2019, and August 4, 2019, affecting the now-defunct discount gift card platform Cardpool.com. Attackers gained unauthorized access to the company's systems, potentially through methods such as exploiting vulnerabilities in the site’s content management system or brute-forcing administrative credentials. During this six-month compromise, threat actors exfiltrated payment card data from approximately 330,000 debit cards, including billing addresses, card numbers, expiration dates, and issuing bank names. This dataset lacked cardholder names and CVV codes, limiting its utility for card-not-present transactions but still posing fraud risks. The same attackers also acquired a database containing 895,000 gift cards from 3,010 brands, including major retailers and service providers like Amazon, Walmart, Airbnb, Nike, and Target, with an estimated total face value of $38 million.
In April 2021, a Russian hacker auctioned both datasets on a prominent underground forum. The gift card database was sold first, with an auction starting at $10,000 and a $20,000 "buy-now" price, which was quickly claimed. The unusually low sale price—approximately 0.05% of the claimed value—led analysts to question the validity of the $38 million valuation, suggesting either inflated figures for marketing purposes or a high rate of expired or low-balance cards. One day later, the same actor offered the debit card records in a separate auction starting at $5,000 with a $15,000 immediate purchase option. Threat intelligence firm Gemini Advisory linked both datasets to the 2019 Cardpool breach, noting the temporal overlap and the platform’s role in processing card payments for gift card purchases. The breach exposed consumers to potential financial fraud, while the bulk sale of gift cards enabled widespread unauthorized redemptions across thousands of businesses. No remediation efforts by Cardpool were documented, as the company had already ceased operations prior to the data’s underground sale.